Overview

overview

10

Static

static

power.ps1

windows7_x64

10

power.ps1

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-01-2021 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    power.ps1

  • Size

    4KB

  • MD5

    64d942a7c2e9dea577a1c062e6dc6bbd

  • SHA1

    4b074b041c48ed8b4e1a175df1ff5dd5614d2c46

  • SHA256

    7bec2a01478bd943f3752937e56ac6dcd8d4d702b2a7eb91dc97b531a732fa6d

  • SHA512

    639cb9246fcda7046922a65408aa0fed462753398f24d030b5664f08bff27f3a0ba5e912568b6c78e7941633aa333b45296da3ff25e4f52a96c959bf016a6a71

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.groupoperationltd.com/mph/

Decoy

caravanmattressesforsale.com

romicalpk.com

procentrall.com

happyworkpro.com

barriobruja.com

olenfex.com

driftandcompile.com

heisen.club

materialmatch.online

maxmaldives.com

wzlxpscr.com

ytvksh.space

amonez.com

hatchmatchusa.com

mcfarlandfamilyevents.com

mcchoo.xyz

ravgugenheim.com

shapeshift.asia

defensebowl.store

styleliving.today

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\power.ps1
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:792
      • C:\WINDOWS\syswow64\control.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:868
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\WINDOWS\syswow64\control.exe"
        3⤵
          PID:2032

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/792-14-0x000000001B800000-0x000000001B845000-memory.dmp
      Filesize

      276KB

      Download
    • memory/792-11-0x000000001AB30000-0x000000001AB31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/792-2-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/792-5-0x000000001AC40000-0x000000001AC41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/792-6-0x0000000002320000-0x0000000002321000-memory.dmp
      Filesize

      4KB

      Download
    • memory/792-7-0x000000001ABC0000-0x000000001ABC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/792-8-0x000000001ABC4000-0x000000001ABC6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/792-9-0x0000000001E40000-0x0000000001E41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/792-10-0x000000001C720000-0x000000001C721000-memory.dmp
      Filesize

      4KB

      Download
    • memory/792-3-0x000007FEF5940000-0x000007FEF632C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/792-12-0x000000001ABCA000-0x000000001ABE9000-memory.dmp
      Filesize

      124KB

      Download
    • memory/792-4-0x000000001A8E0000-0x000000001A8E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/868-15-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/868-21-0x0000000000210000-0x0000000000224000-memory.dmp
      Filesize

      80KB

      Download
    • memory/868-16-0x000000000041EB20-mapping.dmp
      Download
    • memory/868-19-0x00000000001D0000-0x00000000001E4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/868-18-0x0000000000A80000-0x0000000000D83000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1296-29-0x0000000006FA0000-0x00000000070FF000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1296-20-0x0000000004220000-0x0000000004379000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1296-22-0x0000000006C50000-0x0000000006DCB000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1596-13-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1696-23-0x0000000000000000-mapping.dmp
      Download
    • memory/1696-24-0x0000000000840000-0x0000000000849000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1696-25-0x0000000000080000-0x00000000000AE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1696-27-0x0000000002170000-0x0000000002473000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1696-28-0x0000000001DE0000-0x0000000001E73000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2032-26-0x0000000000000000-mapping.dmp
      Download